If you spent anytime on the internet this holiday season, you likely saw friends and family sharing a photo matching their face with their celebrity look-alike. If they didn’t share the photo, it very likely was made publicly available anyway.

The Twinning app created by Popsugar has been inadvertently making the photos uploaded by its users publicly available via an unsecured web address where the pics were stored.

TechCrunch discovered the data leak on Monday when it noticed an Amazon Web Services storage bucket URL in the source code of the Popsugar Twinning web app. A real-time photo stream of users uploading pics to the app was viewable when opening the AWS address in a web browser.

Popsugar has since closed the photo leak. In an email to Techcrunch, Popsugar’s VP of engineering Mike Patnode explained that “the bucket permissions weren’t set up correctly” on the app.

While the permissions issue has now been fixed on Popsugar’s end of things, many of the photos that were uploaded — shared by its users or not — are still publicly available on Google image search.

The Twinning app by Popsugar was originally launched in February of this year. It recently went viral again these past few weeks in December. Twinning allows users to snap a photo within the web app or upload a pic from their computer. The app then matches users with their celebrity twin and provides a shareable side-by-side image.

If you used the Twinning app and were unhappy with the photo you took or the celebrity look-alike you were matched with, you may have chosen to keep the results private. Popsugar may have accidentally made your image public anyway.